Technical Tip: How to allow traffic when using the same logical interface for ingress and egress with source and destination IP is from different network

acvaldez · ‎02-27-2024

Description

This article describes how to allow traffic when only using the same logical interface for ingress and egress with source and destination IPs from different networks.

Scope

FortiGate 7.0.14 and later, 7.2.6 and later, 7.4.0 and later.

Solution

In this diagram test machine 10.115.1.70 is sending the packet to 10.117.4.197 (ICMP).
Both ingress and egress for this traffic are passing through VLAN 115.

This traffic will not be successful when the 'allow traffic redirect' is enabled, which is enabled by default in the FortiGate global config.

Alza-kvm34 # config sys global

Alza-kvm34 (global) # get | grep -f allow-traffic-redirect

allow-traffic-redirect: enable <---

ipv6-allow-traffic-redirect: enable <---

Here is how the debug flow will look for the said test traffic when the 'allow traffic redirect' is enabled:

Alza-kvm34 # id=20085 trace_id=54 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.117.4.197:91->10.115.1.70:0) tun_id=0.0.0.0 from vlan 115. type=0, code=0, id=91, seq=0."

id=20085 trace_id=54 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-10.115.1.70 via vlan 115"

id=20085 trace_id=54 func=fw_forward_dirty_handler line=374 msg="no session matched"

id=20085 trace_id=55 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.117.4.197:91->10.115.1.70:0) tun_id=0.0.0.0 from vlan 115. type=0, code=0, id=91, seq=1."

id=20085 trace_id=55 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-10.115.1.70 via vlan 115"

id=20085 trace_id=55 func=fw_forward_dirty_handler line=374 msg="no session matched"

id=20085 trace_id=56 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.117.4.197:91->10.115.1.70:0) tun_id=0.0.0.0 from vlan 115. type=0, code=0, id=91, seq=2."

id=20085 trace_id=56 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-10.115.1.70 via vlan 115"

id=20085 trace_id=56 func=fw_forward_dirty_handler line=374 msg="no session matched"

The reason it is not working is because the ICMP reply traffic is coming from the subnet 10.117.4.0/24 which is different from the subnet 10.115.1.0/24 on the FortiGate interface.

In this case, to do the traffic redirection, 'ICMP reply' will need to match with firewall policy and existing session since asymmetric routing is not permitted on FortiGate by default.

However, there is no session established for the ICMP traffic since for ICMP requests, its source address is in the same subnet with the FortiGate interface so no policy or session is required. Detail can be found in below documents:

Related articles:

Technical Tip: Traffic handled by FortiGate for packet which ingress and egress same interface

Technical Note: How the FortiGate behaves when asymmetric routing is enabled

To make this work it is necessary to configure the following:

Set the allow traffic redirect from enable to disable.

Alza-kvm34 # config sys global

Alza-kvm34 (global) # set allow-traffic-redirect disable

Alza-kvm34 (global) # end

Alza-kvm34 # show sys global | grep -f allow-traffic-redirect

config system global

set admin-https-redirect disable

set admintimeout 480

set alias "FGVM01TM19006298"

set allow-traffic-redirect disable <---

set gui-ipv6 enable

set gui-local-out enable

set hostname "Alza-kvm34"

set lldp-transmission enable

set timezone 57

end

Configure the Firewall Policy for the said traffic:

Alza-kvm34 # config firewall policy

Alza-kvm34 (policy) # show

config firewall policy

edit 1

set name "vlan 115 to 115"

set uuid 328a4122-d53d-51ee-9a0f-171d6947d4b6

set srcintf "vlan 115"

set dstintf "vlan 115"

set action accept

set srcaddr "all"

set dstaddr "all"

set schedule "always"

set service "ALL"

After doing that, this result will appear:

lza-kvm34 # id=20085 trace_id=72 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.115.1.70:95->10.117.4.197:2048) tun_id=0.0.0.0 from vlan 115. type=8, code=0, id=95, seq=0."

id=20085 trace_id=72 func=init_ip_session_common line=6046 msg="allocate a new session-0069d984, tun_id=0.0.0.0"

id=20085 trace_id=72 func=iprope_dnat_check line=5336 msg="in-[vlan 115], out-[]"

id=20085 trace_id=72 func=iprope_dnat_tree_check line=827 msg="len=0"

id=20085 trace_id=72 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"

id=20085 trace_id=72 func=vf_ip_route_input_common line=2611 msg="find a route: flag=05000000 gw-10.115.4.202 via vlan 115"

id=20085 trace_id=72 func=iprope_fwd_check line=782 msg="in-[vlan 115], out-[vlan 115], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"

id=20085 trace_id=72 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf hash, len=2"

id=20085 trace_id=72 func=__iprope_check_one_policy line=2025 msg="checked gnum-100004 policy-1, ret-matched, act-accept"

id=20085 trace_id=72 func=__iprope_user_identity_check line=1814 msg="ret-matched"

id=20085 trace_id=72 func=__iprope_check_one_policy line=2242 msg="policy-1 is matched, act-accept"

id=20085 trace_id=72 func=iprope_fwd_check line=819 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-1"

id=20085 trace_id=72 func=iprope_fwd_auth_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-1"

id=20085 trace_id=72 func=fw_forward_handler line=881 msg="Allowed by Policy-1:"

id=20085 trace_id=72 func=__if_queue_push_xmit line=391 msg="send out via dev-port2, dst-mac-00:43:61:6d:44:02"

id=20085 trace_id=73 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.117.4.197:95->10.115.1.70:0) tun_id=0.0.0.0 from vlan 115. type=0, code=0, id=95, seq=0."

id=20085 trace_id=73 func=resolve_ip_tuple_fast line=5953 msg="Find an existing session, id-0069d984, reply direction"

id=20085 trace_id=73 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-10.115.1.70 via vlan 115"

id=20085 trace_id=73 func=npu_handle_session44 line=1183 msg="Trying to offloading session from vlan 115 to vlan 115, skb.npu_flag=00000000 ses.state=00000200 ses.npu_state=0x00000100"

id=20085 trace_id=73 func=fw_forward_dirty_handler line=410 msg="state=00000200, state2=00000000, npu_state=00000100"

id=20085 trace_id=73 func=__if_queue_push_xmit line=391 msg="send out via dev-port2, dst-mac-00:41:6c:7a:28:02"

id=20085 trace_id=74 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.115.1.70:95->10.117.4.197:2048) tun_id=0.0.0.0 from vlan 115. type=8, code=0, id=95, seq=1."

id=20085 trace_id=74 func=resolve_ip_tuple_fast line=5953 msg="Find an existing session, id-0069d984, original direction"

id=20085 trace_id=74 func=ipv4_fast_cb line=53 msg="enter fast path"

id=20085 trace_id=74 func=__if_queue_push_xmit line=391 msg="send out via dev-port2, dst-mac-00:43:61:6d:44:02"

id=20085 trace_id=75 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.117.4.197:95->10.115.1.70:0) tun_id=0.0.0.0 from vlan 115. type=0, code=0, id=95, seq=1."

id=20085 trace_id=75 func=resolve_ip_tuple_fast line=5953 msg="Find an existing session, id-0069d984, reply direction"

id=20085 trace_id=75 func=ipv4_fast_cb line=53 msg="enter fast path"

id=20085 trace_id=75 func=__if_queue_push_xmit line=391 msg="send out via dev-port2, dst-mac-00:41:6c:7a:28:02"

Related article:

Technical Tip: Traffic handled by FortiGate for packet which ingress and egress same interface